CVE-2026-6993: Unintended Intermediary in go-kratos kratos
A security flaw has been discovered in go-kratos kratos up to 2.9.2. This impacts the function NewServer of the file transport/http/server.go of the component http.DefaultServeMux Fallback Handler. The manipulation results in unintended intermediary. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The patch is identified as 0284a5bcf92b5a7ee015300ce3051baf7ae4718d. Applying a patch is advised to resolve this issue.
AI Analysis
Technical Summary
This vulnerability in go-kratos kratos (<= 2.9.2) involves the NewServer function's handling of the http.DefaultServeMux Fallback Handler, leading to unintended intermediary behavior (CWE-441). The flaw allows remote attackers to manipulate the server behavior potentially, as indicated by the CVSS 6.9 (medium) score with network attack vector and no privileges or user interaction required. The issue is fixed by applying the patch identified by commit 0284a5bcf92b5a7ee015300ce3051baf7ae4718d.
Potential Impact
The vulnerability allows remote attackers to cause unintended intermediary behavior in the HTTP server component, which may lead to unexpected request handling or routing. This could affect the integrity or availability of the service depending on the specific exploitation, but no direct impact such as privilege escalation or data disclosure is described. The CVSS score of 6.9 reflects a medium severity impact with low complexity and no required privileges.
Mitigation Recommendations
A patch identified by commit 0284a5bcf92b5a7ee015300ce3051baf7ae4718d is available and should be applied to affected versions (2.9.0, 2.9.1, 2.9.2) of go-kratos kratos to remediate this vulnerability. Patch status is not explicitly confirmed in a vendor advisory, so users should verify the patch application and monitor official vendor channels for updates.
CVE-2026-6993: Unintended Intermediary in go-kratos kratos
Description
A security flaw has been discovered in go-kratos kratos up to 2.9.2. This impacts the function NewServer of the file transport/http/server.go of the component http.DefaultServeMux Fallback Handler. The manipulation results in unintended intermediary. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The patch is identified as 0284a5bcf92b5a7ee015300ce3051baf7ae4718d. Applying a patch is advised to resolve this issue.
CVSS v4.0
Score 6.9medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in go-kratos kratos (<= 2.9.2) involves the NewServer function's handling of the http.DefaultServeMux Fallback Handler, leading to unintended intermediary behavior (CWE-441). The flaw allows remote attackers to manipulate the server behavior potentially, as indicated by the CVSS 6.9 (medium) score with network attack vector and no privileges or user interaction required. The issue is fixed by applying the patch identified by commit 0284a5bcf92b5a7ee015300ce3051baf7ae4718d.
Potential Impact
The vulnerability allows remote attackers to cause unintended intermediary behavior in the HTTP server component, which may lead to unexpected request handling or routing. This could affect the integrity or availability of the service depending on the specific exploitation, but no direct impact such as privilege escalation or data disclosure is described. The CVSS score of 6.9 reflects a medium severity impact with low complexity and no required privileges.
Mitigation Recommendations
A patch identified by commit 0284a5bcf92b5a7ee015300ce3051baf7ae4718d is available and should be applied to affected versions (2.9.0, 2.9.1, 2.9.2) of go-kratos kratos to remediate this vulnerability. Patch status is not explicitly confirmed in a vendor advisory, so users should verify the patch application and monitor official vendor channels for updates.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-04-24T19:43:37.550Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
- Epss Score
- 0.00035
- Epss Percentile
- 0.10413
- Epss Date
- 2026-04-26
- Gcve Source
- db.gcve.eu
Threat ID: 69ed0d1987115cfb682ea5c6
Added to database: 4/25/2026, 6:51:05 PM
Last enriched: 5/3/2026, 7:25:27 AM
Last updated: 6/9/2026, 8:18:38 PM
Views: 106
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.